Jul 31, 20234.22.2-2023073101


  • Pro: We added functionality for scheduling backups, creating execution limits, and setting retention policies on the backups page. See documentation here.


  • Pro: We added an 'Auto' selection to payload dropdowns to pick the most appropriate payload type automatically.

  • PR 17681 - This PR adds a new datastore option for Jenkins home directory to the jenkins_gather module.

  • PR 18096 - Updates the LDAP query module and the Kerberos authentication support for WinRM/MSSQL/SMB/LDAP/etc to no work in conjunction with the user's set Proxies datastore value, i.e. set Proxies socks5:


  • Pro: We corrected table select-all population of various action forms.

  • PR 18187 - Fixes a crash when running Ruby 3.3.0-preview1 with modules that used invalid syntax when packing or unpacking binary data.

  • PR 18213 - This fixes a bug in the evasion/windows/syscall_inject module that was caused by an uninitialized variable.

  • PR 18225 - This PR fixes multiple missing and invalid references in modules.


  • PR 18142 - This PR adds a Wordpress exploit that makes use of the WordPress File Manager Advanced Shortcode 2.3.2 plugin, to gain unauthenticated Remote Code Execution through shortcode.

  • PR 18173 - This PR adds a module for CVE-2023-32315, a remote code execution vulnerability for all versions of Openfire that have been released since April 2015, starting with version 3.10.0.Patched versions are 4.7.5+ 4.6.8+ and 4.8.0+.

  • PR 18182 - This PR adds an auxiliary module that takes advantage of CVE-2023-26876 to retrieve the username and password hash from piwigo v.13.5.0 and earlier.

  • PR 18199 - This adds an exploit module that leverages a pre-authenticated command injection vulnerability in VMWare Aria Operations for Networks (vRealize Network Insight). Versions from 6.2 to 6.10 are vulnerable and this has been identified as CVE-2023-20887. The module bypasses the reverse proxy that protects the access to the Apache Thrift RPC interface and executes arbitrary commands on the underlying operating system as the root user.

Offline Update

Metasploit Framework and Pro Installers